Advisory

While investigating a security incident on one of our Linux servers an administrator discovered a suspicious binary installed on the server which was sent to us to analyze. The binary was reverse engineered and discovered to be a backdoor and denial of service agent for flooding hosts on the internet with traffic.

Details

The agent is controlled remotely by sending specially formatted and encoded messages from a client designed for this purpose. The messages are transmitted in IP datagrams with the IP protocol field set to the value 11(Network Voice Protocol). The messages specify different types of commands for the agent to execute.

Detection

The agent overwrites argv[0] with the string '[mingetty]' to avoid detection. It is possible to examine a host to determine if this agent has been installed by looking the output of a 'ps' listing for suspicious processes with this name. Another way to detect the agent is by using the command 'netstat -aw' to list processes listening on raw sockets. Any process listed as having a raw socket open on protocol 11 (nvp) is possibly an instance of this DDoS agent.

Data Encoding

The information transferred between the client and the server is encoded using a simple algorithm. The first byte of encoded data is added, modulo 256, to the constant value 23. Each of the remaining bytes is encoded by adding their value to the encoded value of the previous byte and the constant 23. Once again the addition is performed modulo 256.

2 Address Setup

For transmit mode 2, the message contains 40 rather than 4 bytes of additional data.
This message configures the agent for communication with the client. Depending on the transmit mode specified, the agent will send responses either to only the IP address of the client or to 10 different addresses at once. The other nine address are either chosen randomly (transmit mode 1) or specified in the message from the client(transmit mode 2).

3 Shell Command

string_arg - The shell command to run.

This message instructs the agent to execute the shell command specified in the message and return the output to the client.

4 DNS Swarm

b1 Target IP byte 1

b2 Target IP byte 2

b3 Target IP byte 3

b4 Target IP byte 4

b5 Source port high byte

b6 Source port low byte

b7 resolve_flag

string_arg hostname

The target is either specified by supplying the IP address if the four target IP address bytes or by sending the hostname as the final argument and setting the resolve_flag argument. A constant source port can be specified with the source port bytes. If these bytes are both NULL, a random port will be chosen for each packet.

This attack sends DNS queries to thousands of DNS servers on the internet with the source address spoofed to be the address of the target. The DNS servers respond to the requests flooding the target. The binary contains the IP addresses of literally thousands of active DNS servers on the internet. It is presumed that this list was collected by widely portscanning.

5 Datagram Flood

b1 type (0 = UDP, 1 = ICMP)

b2 port (One byte only for port value)

b3 Target IP byte 1

b4 Target IP byte 2

b5 Target IP byte 3

b6 Target IP byte 4

b7 Source IP byte 1

b8 Source IP byte 2

b9 Source IP byte 3

b10 Source IP byte 4

b11 Resolve Flag

str Hostname

This command floods a target address with either UDP or ICMP Echo Datagrams. The type of packet is selected with the type argument. Both the source and destinations must be specified in the message. The destination can either be selected by setting the corresponding 4 IP address bytes or by setting the Resolve Flag and providing a hostname in the final argument.

6 Portshell

This command requires no additional arguments. When this command is received the agent forks and starts listening on TCP port number 23281. Connecting to this port and supplying the correct password (The password is: SeNiF) will cause a shell to be executed with the socket duplicated on the standard descriptors. This is a usual portshell backdoor.

7 Execute Command

str command

This command executes a shell command and ignores the output. It is like command number 3, but does not return any output to the client.

8 Kill Current Command

This command kills any currently executing command. Such as a portshell server or a currently executing denial of service command. The agent is designed to only be able to run one command at a time, so it is necessary to stop a command before starting another.

9 DNS Swarm 2

b1 Target IP byte 1

b2 Target IP byte 2

b3 Target IP byte 3

b4 Target IP byte 4

b5 Burst Count

b6 Source port high byte

b7 Source port low byte

b8 resolve_flag

string_arg hostname

This command functions exactly like command number 4 with one minor difference. This version allows you to specify a 'Burst Count' which is a number of packets that the agent will attempt to send at one time before sleeping for a very brief period of time. This feature probably exists to allow control over consumption of resources on the server the agent is installed on.

10 SYN Flood

b1 Target IP byte 1

b2 Target IP byte 2

b3 Target IP byte 3

b4 Target IP byte 4

b5 Target Port high byte

b6 Target Port low byte

b7 Source Address Flag

b8 Source IP byte 1

b9 Source IP byte 2

b10 Source IP byte 3

b11 Source IP byte 4

b12 Resolve Flag

str Hostname

This command floods a target with TCP SYN packets to the specified port. The source address can either be specified by setting the Source Address Flag and sending the address bytes in the packet. If the Source Address Flag is not sent, each packet is sent from a different random source address. The target can either be selected by sending it's IP address in the first four bytes, or by setting the Resolve Flag and sending the target hostname as the last argument.

11 SYN Flood 2

b1 Target IP byte 1

b2 Target IP byte 2

b3 Target IP byte 3

b4 Target IP byte 4

b5 Target Port high byte

b6 Target Port low byte

b7 Source Address Flag

b8 Source IP byte 1

b9 Source IP byte 2

b10 Source IP byte 3

b11 Source IP byte 4

b12 Burst Count

b13 Resolve Flag

str Hostname

This command is identical to the previous with the addition of an argument forspecifying a 'Burst Count'. See the description of command 9 for an explanation of this parameter.

12 DNS Flood

b1 Target IP byte 1

b2 Target IP byte 2

b3 Target IP byte 3

b4 Target IP byte 4

b5 Source IP byte 1

b6 Source IP byte 2

b7 Source IP byte 3

b8 Source IP byte 4

b9 Burst Count

b10 Source port high byte

b11 Source port low byte

b12 Resolve Flag

This command floods a target by sending UDP DNS queries to the DNS port on the target. If the source address bytes are specified then the packets are spoofed to appear to come from that address. Otherwise, each packet is sent from a different random source address. The source port can be specified, or set to zero and the server will choose a random source port for each packet. The targe address can be specified by providing the IP address bytes, or by setting the Resolve Flag and sending the hostname in the final argument. The use of the Burst Count parameter was explained earlier.